Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 06:51

General

  • Target

    88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe

  • Size

    1.1MB

  • MD5

    400f693c2c8abb895b25e5fb410dd022

  • SHA1

    bca9d595d5559c953b15985cfba5b2fc84b6467d

  • SHA256

    88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39

  • SHA512

    9ba0ac473594e43b1e2f493566201801d8849945e079b9b552f37fefbf9424e399a7f415212df2206c26548d30a58a601b47431235a5690631a97d03aab617dc

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
    "C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1196
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    cc615a03c0c33f72cab0bc9df2a1c1ec

    SHA1

    ab67acc1a0c36c8082f761f5139a9586c62fbdab

    SHA256

    92a66c11187e5b6fd10d3d78f42d6ac01056850ce856e26fcda748c1e36eea45

    SHA512

    3f929dcddd2933a5cd105c48e6735d54bb6f9ca10e961de6d76142b92f5e2af1c1ae8f2ae759c2aea4f5fe2f0735044e8036d05a3c14e8c6c1bc7dc07a7fbcfe

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    af81bc53ee17a7d9bda879d1f7a0caec

    SHA1

    30bb0c33dfad2637ab257f32bf3173eda37d32f8

    SHA256

    3e7c045ce0592296b6f564b6e52bf736f2087ed2f21b1273679325fdd20cac2a

    SHA512

    73846b95e09c6372a0c5aefca59fdce48e4b4f60fe7ac3df959101fad7a876d8fe7686f07418b7f4ddd31785c83bbe296bc1a2dd7e436e177a64ef806b4d9f3b

  • memory/400-10-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB